CN109510811A - Intrusion detection method, device and storage medium based on data packet - Google Patents
Intrusion detection method, device and storage medium based on data packet Download PDFInfo
- Publication number
- CN109510811A CN109510811A CN201811144177.3A CN201811144177A CN109510811A CN 109510811 A CN109510811 A CN 109510811A CN 201811144177 A CN201811144177 A CN 201811144177A CN 109510811 A CN109510811 A CN 109510811A
- Authority
- CN
- China
- Prior art keywords
- sample
- data packet
- training
- feature
- sample set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
- G06F18/2148—Generating training patterns; Bootstrap methods, e.g. bagging or boosting characterised by the process organisation or structure, e.g. boosting cascade
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- Bioinformatics & Computational Biology (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a kind of intrusion detection method based on data packet, device and storage mediums, are related to network safety filed.The method comprise the steps that data flow is divided into data packet during intrusion detection;Packet generates training package sample set and test bag sample set based on the data, wherein includes at least one training sample in the training package sample set, includes at least one test bag sample in test bag sample set;Using the training package sample set as input, training obtains strong classifier, and the strong classifier is made of multiple base classifiers;Based on the strong classifier, IDS Framework is constructed;Using the test bag sample set as input, the IDS Framework is tested, and obtain test result, the test result includes normal condition and abnormality.The present invention can be improved the performance of intrusion detection.
Description
Technical field
The present invention relates to network safety filed more particularly to a kind of intrusion detection method based on data packet, device and deposit
Storage media.
Background technique
The problem of development of network security technology at any time, intrusion detection becomes growing interest.
Existing intrusion detection method is the detection based on individual traffic mostly, but these methods are directly applied to
In the detection of duration attack (continuous a plurality of abnormal flow), it can not accurately reflect security status in real time.Than
Such as DDOS attack is detected, intrusion behavior can not be detected by only analyzing a certain data stream.And for
The detection for continuing attack carries out one by one continuous detecting method using single data flow and also reduces algorithm to a certain extent
Performance.
Summary of the invention
The embodiment of the present invention provides a kind of intrusion detection method, device and storage medium in data packet, is able to solve
The low problem of intrusion detection performance.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
In a first aspect, the embodiment of the present invention provides a kind of intrusion detection method based on data packet, comprising:
During intrusion detection, data flow is divided into data packet;
Packet generates training package sample set and test bag sample set based on the data, wherein in the training package sample set
It include at least one test bag sample in test bag sample set including at least one training sample;
Using the training package sample set as input, training obtains strong classifier, and the strong classifier is classified by multiple bases
Device is constituted;
Based on the strong classifier, IDS Framework is constructed;
Using the test bag sample set as input, the IDS Framework is tested, and obtain test result,
The test result includes normal condition and abnormality.
With reference to first aspect, in the first possible implementation of the first aspect, the Bao Sheng based on the data
Include: at training package sample set and test bag sample set
Feature normalization processing is carried out to each sample characteristics in the data packet, wherein include more in the data packet
A sample includes multiple sample characteristics in each sample;
Range conversion is carried out to the sample characteristics after each normalized;
Transformed each sample characteristics of adjusting the distance carry out mapping processing, obtain the corresponding feature of each sample to
Amount;
Based on the corresponding feature vector of each sample, select multiple samples as training package in each sample
Sample obtains the training package sample set;And select multiple samples as test bag sample in each sample, it obtains described
Test bag sample set.
The possible implementation of with reference to first aspect the first, in second of possible implementation of first aspect
In, each sample characteristics in the data packet carry out feature normalization processing, comprising:
According to formulaObtain data packet matrix, wherein the data packet is by m sample
This composition, each sample are made of n feature, xi=(xi1,xi2,…,xin), i=1 ..., m be each sample feature to
Amount, xlkFor k-th of feature of first of sample;
According to formulaData packet matrix is carried out special
Sign normalization transformation, wherein X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
The possible implementation of with reference to first aspect the first, in the third possible implementation of first aspect
In, the sample characteristics to after each normalized carry out range conversion, comprising:
According to formulaRange conversion is carried out,For
xakAnd xbkCharacteristic distance function between a, xakAnd xbkFor k-th of feature of a-th of sample and b sample in matrix X, τ=
{D1,D2,…,DnBe each sample n feature distance matrix.
The possible implementation of with reference to first aspect the first, in the 4th kind of possible implementation of first aspect
In, transformed each sample characteristics of adjusting the distance carry out mapping processing, the corresponding feature vector of each sample is obtained,
Include:
Construct 1 × r dimensional vectorWherein
According to formulaFeature is carried out to reflect
It penetrates, whereinP is 0≤i of dimension≤b-1 of z.
With reference to first aspect, in the fifth possible implementation of the first aspect, described by the training package sample
Collection obtains strong classifier and includes: as input, training
Based on Bagging mode, sampling operation is carried out;
Based on Adaboost iterative algorithm, adjustment samples obtained sample size;
According to the corresponding each sample of the sample size that sampling obtains, training obtains the strong classifier.
Second aspect, the embodiment of the present invention provide a kind of invasion detecting device based on data packet, comprising:
Division module, for during intrusion detection, data flow to be divided into data packet;
Generation module generates training package sample set and test bag sample set for packet based on the data, wherein the instruction
Practicing this concentration of ladle sample includes at least one training sample, includes at least one test bag sample in test bag sample set;
Training module, for using the training package sample set as input, training to obtain strong classifier, the strong classifier
It is made of multiple base classifiers;
Module is constructed, for being based on the strong classifier, constructs IDS Framework;
Test module, for testing the IDS Framework using the test bag sample set as input, and
Test result is obtained, the test result includes normal condition and abnormality.
In conjunction with second aspect, in the first possible implementation of the second aspect, the generation module includes:
Normalized submodule, for carrying out feature normalization processing to each sample characteristics in the data packet,
In, include multiple samples in the data packet, includes multiple sample characteristics in each sample;
Range conversion submodule, for carrying out range conversion to the sample characteristics after each normalized;
Mapping submodule, for adjusting the distance, transformed each sample characteristics carry out mapping processing, obtain each sample point
Not corresponding feature vector;
Submodule is selected, for being based on the corresponding feature vector of each sample, is selected in each sample more
A sample obtains the training package sample set as training package sample;And select multiple samples as survey in each sample
Ladle sample sheet is tried, the test bag sample set is obtained.
In conjunction with the first possible implementation of second aspect, in second of possible implementation of second aspect
In,
The normalized submodule, for according to formulaObtain data packet square
Battle array, wherein the data packet is made of m sample, and each sample is made of n feature, xi=(xi1,xi2,…,xin), i=
1 ..., m is the feature vector of each sample, xlkFor k-th of feature of first of sample;According to formulaFeature normalization transformation is carried out to data packet matrix,
In, X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
In conjunction with the first possible implementation of second aspect, in the third possible implementation of second aspect
In,
The range conversion submodule, for according to formulaIt carries out
Range conversion,For xakAnd xbkCharacteristic distance function between a, xakAnd xbkFor a-th of sample in matrix X
With k-th of feature of b sample, τ={ D1,D2,…,DnBe each sample n feature distance matrix.
In conjunction with the first possible implementation of second aspect, in the 4th kind of possible implementation of second aspect
In,
The mapping submodule, for constructing 1 × r dimensional vectorWhereinAccording to formulaCarry out Feature Mapping, whereinP is 0≤i of dimension≤b-1 of z.
In conjunction with second aspect, in a fifth possible implementation of the second aspect,
Submodule is sampled, for being based on Bagging mode, carries out sampling operation;
Adjusting submodule, for being based on Adaboost iterative algorithm, the sample size that adjustment sampling obtains;
Training submodule, the corresponding each sample of the sample size for being obtained according to sampling, training obtain described strong
Classifier.
The third aspect, the embodiment of the present invention provide a kind of computer readable storage medium, are stored thereon with computer journey
Sequence, which is characterized in that the step of method that first aspect provides is realized when described program is executed by processor.
Intrusion detection method based on data packet, device and storage medium provided in an embodiment of the present invention, by invading
In detection process, data flow is divided into data packet;Packet generates training package sample set and test bag sample set based on the data,
Wherein, include at least one training sample in the training package sample set, include at least one test bag in test bag sample set
Sample;Using the training package sample set as input, training obtains strong classifier, and the strong classifier is by multiple base classifier structures
At;Based on the strong classifier, IDS Framework is constructed;Using the test bag sample set as input, the invasion is examined
It surveys model to be tested, and obtains test result, the test result includes normal condition and abnormality.It can be improved invasion
The precision of detection, improve recall rate during intrusion detection, improve intrusion detection during score value, reduce FPR
(False Positive Rate, false positive rate), so as to improve the performance of intrusion detection.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ability
For the those of ordinary skill of domain, without creative efforts, it can also be obtained according to these attached drawings other attached
Figure.
Fig. 1 is the flow diagram of the intrusion detection method based on data packet of the embodiment of the present invention;
Fig. 2 is another flow diagram of the intrusion detection method based on data packet of the embodiment of the present invention;
Fig. 3 is the invasion detecting device structural schematic diagram based on data packet of the embodiment of the present invention;
Fig. 4 is the structural schematic diagram of the generation module of the embodiment of the present invention;
Fig. 5 is the structural schematic diagram of the training module of the embodiment of the present invention;
Fig. 6 is the structural schematic diagram of the invasion detecting device 600 based on data packet of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts all other
Embodiment shall fall within the protection scope of the present invention.
One embodiment of the invention provides a kind of intrusion detection method based on data packet, as shown in Figure 1, the method packet
It includes:
101, during intrusion detection, data flow is divided into data packet.
102, packet generates training package sample set and test bag sample based on the data.
Wherein, include at least one training sample in the training package sample set, include at least one in test bag sample set
A test bag sample.
103, using the training package sample set as input, training obtains strong classifier.
Wherein, the strong classifier is made of multiple base classifiers.
104, it is based on the strong classifier, constructs IDS Framework.
105, using the test bag sample set as input, the IDS Framework is tested, and is tested
As a result.
Wherein, the test result includes normal condition and abnormality.
Compared with prior art, during the embodiment of the present invention can be improved the precision of intrusion detection, improve intrusion detection
Recall rate, improve score value during intrusion detection, reduce FPR (False Positive Rate, false positive rate), from
And the performance of intrusion detection can be improved.
Further embodiment of this invention provides a kind of intrusion detection method based on data packet, as shown in Fig. 2, the method packet
It includes:
201, during intrusion detection, data flow is divided into data packet.
202, feature normalization processing is carried out to each sample characteristics in the data packet.
Wherein, include multiple samples in the data packet, include multiple sample characteristics in each sample.
203, range conversion is carried out to the sample characteristics after each normalized.
Optionally, step 203 can be with are as follows: according to formulaData packet matrix is obtained,
Wherein, the data packet is made of m sample, and each sample is made of n feature, xi=(xi1,xi2,…,xin), i=
1 ..., m is the feature vector of each sample, xlkFor k-th of feature of first of sample;According to formulaFeature normalization transformation is carried out to data packet matrix,
In, X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
204, transformed each sample characteristics of adjusting the distance carry out mapping processing, obtain the corresponding feature of each sample
Vector.
Optionally, step 204 can be with are as follows: according to formulaCarry out away from
From transformation,For xakAnd xbkCharacteristic distance function between a, xakAnd xbkFor a-th sample in matrix X and
K-th of feature of b sample, τ={ D1,D2,…,DnBe each sample n feature distance matrix.
205, it is based on the corresponding feature vector of each sample, selects multiple samples as instruction in each sample
Practice ladle sample sheet, obtains the training package sample set;And select multiple samples as test bag sample in each sample, it obtains
The test bag sample set.
Optionally, step 205 can be with are as follows: building 1 × r dimensional vectorWhereinAccording to formulaCarry out Feature Mapping, whereinP is 0≤i of dimension≤b-1 of z.
206, using the training package sample set as input, training obtains strong classifier.
Wherein, the strong classifier is made of multiple base classifiers.
Optionally, step 206 may include: to carry out sampling operation based on Bagging mode;Based on Adaboost iteration
Algorithm, the sample size that adjustment sampling obtains;According to the corresponding each sample of the sample size that sampling obtains, training obtains institute
State strong classifier.
207, it is based on the strong classifier, constructs IDS Framework.
208, using the test bag sample set as input, the IDS Framework is tested, and is tested
As a result.
Wherein, the test result includes normal condition and abnormality.
Compared with prior art, during the embodiment of the present invention can be improved the precision of intrusion detection, improve intrusion detection
Recall rate, improve score value during intrusion detection, reduce FPR (False Positive Rate, false positive rate), from
And the performance of intrusion detection can be improved.
The following are the intrusion detection methods based on data packet provided through the embodiment of the present invention, in operation Windows 7
8GB RAM Intel (R) Core (TM) i7-4720HQ CPU@2.60GHz computer on the experimental data that executes.
Matrixing, classifier training and being integrated in Python in data packet expression are realized.
In order to illustrate the performance of the IDS Framework proposed, select Precision (P), Recall (R), False
Evaluation index of the Positive Rate (FPR) and F-Score as proposed model, each evaluation index are as follows:
Precision: P=TP/ (TP+FP)
Recall rate: R=TP/ (TP+FN)
False positive rate: FPR=FP/ (FP+TN)
F- value: being the harmonic-mean between parameter recall rate and precision, can be used as the statistics mark of assessment models performance
Standard, F-Score is higher, and the performance of model is better.
Packet indicates SVM and other performance comparison results of three kinds of SVM on test data set A, B, C and D such as 4 institute of table 1- table
Show, average relatively the results are shown in Table 5.Packet indicates that SVM refers to the present invention program in table, other three kinds of data alternative types
SVM respectively refers to divide by the data packet sample input classifier of feature normalization, by the data packet sample input of characteristic distance transformation
Class device and the data packet sample of mapping transformation is inputted into classifier.
Indicate SVM compared with the performance of other three kinds of data alternative types SVM based on packet on 1. test data set A of table
Indicate SVM compared with the performance of other three kinds of data alternative types SVM based on packet on 2. test data set B of table
Indicate SVM compared with the performance of other three kinds of data alternative types SVM based on packet on 3. test data set C of table
Indicate SVM compared with the performance of other three kinds of data alternative types SVM based on packet on 4. test data set D of table
Compared with table 5. indicates SVM and the performance of other three kinds of data alternative types SVM averagely based on packet
The result shows that, the SVM indicated based on packet is better than being based on other three kinds existing common type data shown in table 1- table 4
The SVM of set representations, it was demonstrated that compared with prior art, the embodiment of the present invention can be improved the precision of intrusion detection, improve invasion inspection
The score value during recall rate, raising intrusion detection during survey, reduction FPR, so as to improve intrusion detection
Performance.
Further embodiment of this invention provides a kind of invasion detecting device based on data packet, as shown in figure 3, described device packet
It includes:
Division module 31, for during intrusion detection, data flow to be divided into data packet;
Generation module 32 generates training package sample set and test bag sample set for packet based on the data, wherein described
Include at least one training sample in training package sample set, includes at least one test bag sample in test bag sample set;
Training module 33, for using the training package sample set as input, training to obtain strong classifier, the strong classification
Device is made of multiple base classifiers;
Module 34 is constructed, for being based on the strong classifier, constructs IDS Framework;
Test module 35, for testing the IDS Framework using the test bag sample set as input,
And test result is obtained, the test result includes normal condition and abnormality.
Further, as shown in figure 4, the generation module 32 includes:
Normalized submodule 3201, for being carried out at feature normalization to each sample characteristics in the data packet
Reason, wherein include multiple samples in the data packet, include multiple sample characteristics in each sample;
Range conversion submodule 3202, for carrying out range conversion to the sample characteristics after each normalized;
Mapping submodule 3203, for adjusting the distance, transformed each sample characteristics carry out mapping processing, obtain each sample
This corresponding feature vector;
Submodule 3204 is selected, for being based on the corresponding feature vector of each sample, is selected in each sample
Multiple samples are selected as training package sample, obtain the training package sample set;And multiple samples is selected to make in each sample
For test bag sample, the test bag sample set is obtained.
The normalized submodule 3201, for according to formulaObtain data
Packet matrix, wherein the data packet is made of m sample, and each sample is made of n feature, xi=(xi1,xi2,…,xin),
I=1 ..., m is the feature vector of each sample, xlkFor k-th of feature of first of sample;According to formulaFeature normalization transformation is carried out to data packet matrix,
In, X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
The range conversion submodule 3202, for according to formula
Range conversion is carried out,For xakAnd xbkCharacteristic distance function between a, xakAnd xbkIt is a-th in matrix X
K-th of feature of sample and b sample, τ={ D1,D2,…,DnBe each sample n feature distance matrix.
The mapping submodule 3203, for constructing 1 × r dimensional vectorWhereinAccording to formulaCarry out Feature Mapping, whereinP is 0≤i of dimension≤b-1 of z.
Further, as shown in figure 5, the training module 33 includes:
Submodule 3301 is sampled, for being based on Bagging mode, carries out sampling operation;
Adjusting submodule 3302, for being based on Adaboost iterative algorithm, the sample size that adjustment sampling obtains;
Training submodule 3303, the corresponding each sample of the sample size for being obtained according to sampling, training obtain institute
State strong classifier.
Compared with prior art, during the embodiment of the present invention can be improved the precision of intrusion detection, improve intrusion detection
Recall rate, improve score value during intrusion detection, reduce FPR (False Positive Rate, false positive rate), from
And the performance of intrusion detection can be improved.
The embodiment of the present invention also provides another computer readable storage medium, which can be
Computer readable storage medium included in memory in above-described embodiment;It is also possible to individualism, eventually without supplying
Computer readable storage medium in end.The computer-readable recording medium storage has one or more than one program, institute
State that one or more than one program by one or more than one processor are used to execute Fig. 1, embodiment illustrated in fig. 2 provides
The intrusion detection method based on data packet.
The method that above-mentioned offer may be implemented in invasion detecting device provided in an embodiment of the present invention based on data packet is implemented
Example, concrete function realize the explanation referred in embodiment of the method, and details are not described herein.It is provided in an embodiment of the present invention to be based on number
It can be adapted for performing intrusion detection according to the intrusion detection method, device and storage medium of packet, but be not limited only to this.
As shown in fig. 6, the invasion detecting device 600 based on data packet can be mobile phone, computer, digital broadcasting end
End, messaging devices, game console, tablet device, personal digital assistant etc..
Referring to Fig. 6, the invasion detecting device 600 based on data packet may include following one or more components: processing group
Part 602, memory 604, power supply module 606, multimedia component 608, audio component 610, the interface of input/output (I/O)
612, sensor module 614 and communication component 616.
Processing component 602 usually control unmanned aerial vehicle (UAV) control device 600 integrated operation, such as with display, call, number
According to communication, camera operation and record operate associated operation.Processing component 602 may include one or more processors 620
To execute instruction.
In addition, processing component 602 may include one or more modules, convenient between processing component 602 and other assemblies
Interaction.For example, processing component 602 may include multi-media module, with facilitate multimedia component 608 and processing component 602 it
Between interaction.
Memory 604 is configured as storing various types of data to support the operation in unmanned aerial vehicle (UAV) control device 600.This
The example of a little data includes the instruction of any application or method for operating on unmanned aerial vehicle (UAV) control device 600, connection
Personal data, telephone book data, message, picture, video etc..Memory 604 can be by any kind of volatibility or non-volatile
It stores equipment or their combination is realized, such as static random access memory (SRAM), the read-only storage of electrically erasable
Device (EEPROM), Erasable Programmable Read Only Memory EPROM (EPROM), programmable read only memory (PROM), read-only memory
(ROM), magnetic memory, flash memory, disk or CD.
Power supply module 606 provides electric power for the various assemblies of unmanned aerial vehicle (UAV) control device 600.Power supply module 606 may include
Power-supply management system, one or more power supplys and other with for unmanned aerial vehicle (UAV) control device 600 generate, manage, and distribute electric power phase
Associated component.
Multimedia component 608 includes one output interface of offer between the unmanned aerial vehicle (UAV) control device 600 and user
Screen.In some embodiments, screen may include liquid crystal display (LCD) and touch panel (TP).If screen includes
Touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one or more
A touch sensor is to sense the gesture on touch, slide, and touch panel.The touch sensor can not only sense touch
Or the boundary of sliding action, but also detect duration and pressure associated with the touch or slide operation.In some realities
It applies in example, multimedia component 608 includes a front camera and/or rear camera.When unmanned aerial vehicle (UAV) control device 600 is in
Operation mode, such as in a shooting mode or a video mode, front camera and/or rear camera can receive external multimedia
Data.Each front camera and rear camera can be a fixed optical lens system or there is focal length and optics to become
Burnt ability.
Audio component 610 is configured as output and/or input audio signal.For example, audio component 610 includes a Mike
Wind (MIC), when unmanned aerial vehicle (UAV) control device 600 is in operation mode, when such as call mode, recording mode, and voice recognition mode,
Microphone is configured as receiving external audio signal.The received audio signal can be further stored in memory 604 or
It is sent via communication component 616.In some embodiments, audio component 610 further includes a loudspeaker, for exporting audio letter
Number.
I/O interface 612 provides interface between processing component 602 and peripheral interface module, and above-mentioned peripheral interface module can
To be keyboard, click wheel, button etc..These buttons may include, but are not limited to: home button, volume button, start button and lock
Determine button.
Sensor module 614 includes one or more sensors, for providing various aspects for unmanned aerial vehicle (UAV) control device 600
Status assessment.For example, sensor module 614 can detecte the state that opens/closes of unmanned aerial vehicle (UAV) control device 600, component
Relative positioning, such as the component is the display and keypad of unmanned aerial vehicle (UAV) control device 600, and sensor module 614 may be used also
To detect the position change of 600 1 components of unmanned aerial vehicle (UAV) control device 600 or unmanned aerial vehicle (UAV) control device, user and unmanned aerial vehicle (UAV) control
The existence or non-existence that device 600 contacts, 600 orientation of unmanned aerial vehicle (UAV) control device or acceleration/deceleration and unmanned aerial vehicle (UAV) control device 600
Temperature change.Sensor module 614 may include proximity sensor, be configured to examine without any physical contact
Survey presence of nearby objects.Sensor module 614 can also include that optical sensor is used for such as CMOS or ccd image sensor
It is used in imaging applications.In some embodiments, which can also include acceleration transducer, and gyroscope passes
Sensor, Magnetic Sensor, pressure sensor or temperature sensor.
Communication component 616 is configured to facilitate wired or wireless way between unmanned aerial vehicle (UAV) control device 600 and other equipment
Communication.Unmanned aerial vehicle (UAV) control device 600 can access the wireless network based on communication standard, such as WiFi, 2G or 3G or they
Combination.In one exemplary embodiment, communication component 616 is received via broadcast channel from the wide of external broadcasting management system
Broadcast signal or broadcast related information.In one exemplary embodiment, the communication component 616 further includes near-field communication (NFC)
Module, to promote short range communication.For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) can be based in NFC module
Technology, ultra wide band (UWB) technology, bluetooth (BT) technology and other technologies are realized.
In the exemplary embodiment, unmanned aerial vehicle (UAV) control device 600 can be by one or more application specific integrated circuit
(ASIC), digital signal processor (DSP), digital signal processing appts (DSPD), programmable logic device (PLD), scene can
Gate array (FPGA), controller, microcontroller, microprocessor or other electronic components are programmed to realize.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for equipment reality
For applying example, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to embodiment of the method
Part explanation.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium
In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (13)
1. a kind of intrusion detection method based on data packet characterized by comprising
During intrusion detection, data flow is divided into data packet;
Packet generates training package sample set and test bag sample set based on the data, wherein includes in the training package sample set
At least one training sample includes at least one test bag sample in test bag sample set;
Using the training package sample set as input, training obtains strong classifier, and the strong classifier is by multiple base classifier structures
At;
Based on the strong classifier, IDS Framework is constructed;
Using the test bag sample set as input, the IDS Framework is tested, and obtain test result, it is described
Test result includes normal condition and abnormality.
2. the intrusion detection method according to claim 1 based on data packet, which is characterized in that it is described based on the data
Packet generates training package sample set and test bag sample set includes:
Feature normalization processing is carried out to each sample characteristics in the data packet, wherein include multiple samples in the data packet
This, includes multiple sample characteristics in each sample;
Range conversion is carried out to the sample characteristics after each normalized;
Transformed each sample characteristics of adjusting the distance carry out mapping processing, obtain the corresponding feature vector of each sample;
Based on the corresponding feature vector of each sample, select multiple samples as training ladle sample in each sample
This, obtains the training package sample set;And select multiple samples as test bag sample in each sample, obtain the survey
Try packet sample set.
3. the intrusion detection method according to claim 2 based on data packet, which is characterized in that described to the data packet
In each sample characteristics carry out feature normalization processing, comprising:
According to formulaObtain data packet matrix, wherein the data packet is by m sample structure
At each sample is made of n feature, xi=(xi1, xi2..., xin), i=1 ..., m are the feature vector of each sample, xlk
For k-th of feature of first of sample;
According to formulaFeature is carried out to data packet matrix to return
One changes transformation, wherein and X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
4. the intrusion detection method according to claim 2 based on data packet, which is characterized in that it is described to each normalization at
Sample characteristics after reason carry out range conversion, comprising:
According to formulaRange conversion is carried out,For xakWith
xbkCharacteristic distance function between a, xakAnd xbkFor k-th of feature of a-th of sample and b sample in matrix X, τ={ D1,
D2..., DnBe each sample n feature distance matrix.
5. the intrusion detection method according to claim 2 based on data packet, which is characterized in that after the transformation of adjusting the distance
Each sample characteristics carry out mapping processing, obtain the corresponding feature vector of each sample, comprising:
Construct 1 × r dimensional vectorWherein
According to formulaFeature Mapping is carried out,
In,P is 0≤i of dimension≤b-1 of z.
6. the intrusion detection method according to claim 1 based on data packet, which is characterized in that described by the training package
Sample set obtains strong classifier and includes: as input, training
Based on Bagging mode, sampling operation is carried out;
Based on Adaboost iterative algorithm, adjustment samples obtained sample size;
According to the corresponding each sample of the sample size that sampling obtains, training obtains the strong classifier.
7. a kind of invasion detecting device based on data packet characterized by comprising
Division module, for during intrusion detection, data flow to be divided into data packet;
Generation module generates training package sample set and test bag sample set for packet based on the data, wherein the training package
Include at least one training sample in sample set, includes at least one test bag sample in test bag sample set;
Training module, for using the training package sample set as input, training to obtain strong classifier, and the strong classifier is by more
A base classifier is constituted;
Module is constructed, for being based on the strong classifier, constructs IDS Framework;
Test module, for testing the IDS Framework, and obtain using the test bag sample set as input
Test result, the test result include normal condition and abnormality.
8. the invasion detecting device according to claim 7 based on data packet, which is characterized in that the generation module packet
It includes:
Normalized submodule, for carrying out feature normalization processing to each sample characteristics in the data packet, wherein institute
Stating includes multiple samples in data packet, includes multiple sample characteristics in each sample;
Range conversion submodule, for carrying out range conversion to the sample characteristics after each normalized;
Mapping submodule, for adjusting the distance, transformed each sample characteristics carry out mapping processing, and it is right respectively to obtain each sample
The feature vector answered;
Submodule is selected, for being based on the corresponding feature vector of each sample, selects multiple samples in each sample
This obtains the training package sample set as training package sample;And select multiple samples as test bag in each sample
Sample obtains the test bag sample set.
9. the invasion detecting device according to claim 8 based on data packet, which is characterized in that
The normalized submodule, for according to formulaData packet matrix is obtained,
Wherein, the data packet is made of m sample, and each sample is made of n feature, xi=(xi1, xi2..., xin), i=
1 ..., m are the feature vector of each sample, xlkFor k-th of feature of first of sample;According to formulaFeature normalization transformation is carried out to data packet matrix,
In, X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
10. the invasion detecting device according to claim 8 based on data packet, which is characterized in that
The range conversion submodule, for according to formulaCarry out distance
Transformation,For xakAnd xbkCharacteristic distance function between a, xakAnd xbkFor a-th of sample and b in matrix X
K-th of feature of sample, τ={ D1, D2..., DnBe each sample n feature distance matrix.
11. the invasion detecting device according to claim 8 based on data packet, which is characterized in that
The mapping submodule, for constructing 1 × r dimensional vectorWhereinAccording to formulaCarry out Feature Mapping, whereinP is 0≤i of dimension≤b-1 of z.
12. the invasion detecting device according to claim 7 based on data packet, which is characterized in that the training module packet
It includes:
Submodule is sampled, for being based on Bagging mode, carries out sampling operation;
Adjusting submodule, for being based on Adaboost iterative algorithm, the sample size that adjustment sampling obtains;
Training submodule, the corresponding each sample of the sample size for being obtained according to sampling, training obtain the strong classification
Device.
13. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that described program is processed
The step of claim 1-6 the method is realized when device executes.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810809761 | 2018-07-23 | ||
CN201810809761X | 2018-07-23 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109510811A true CN109510811A (en) | 2019-03-22 |
CN109510811B CN109510811B (en) | 2022-08-09 |
Family
ID=65746298
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811144177.3A Active CN109510811B (en) | 2018-07-23 | 2018-09-29 | Intrusion detection method and device based on data packet and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109510811B (en) |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060004754A1 (en) * | 2004-06-30 | 2006-01-05 | International Business Machines Corporation | Methods and apparatus for dynamic classification of data in evolving data stream |
CN101060443A (en) * | 2006-04-17 | 2007-10-24 | 中国科学院自动化研究所 | An improved adaptive boosting algorithm based Internet intrusion detection method |
JP2009075737A (en) * | 2007-09-19 | 2009-04-09 | Nec Corp | Semi-supervised learning method, device, and program |
CN101471782A (en) * | 2007-12-26 | 2009-07-01 | 中国科学院自动化研究所 | Network inbreak detection method based on on-line hoisting algorithm |
CN101827002A (en) * | 2010-05-27 | 2010-09-08 | 文益民 | Concept drift detection method of data flow classification |
CN103678512A (en) * | 2013-12-26 | 2014-03-26 | 大连民族学院 | Data stream merge sorting method under dynamic data environment |
CN103716204A (en) * | 2013-12-20 | 2014-04-09 | 中国科学院信息工程研究所 | Abnormal intrusion detection ensemble learning method and apparatus based on Wiener process |
US20170364795A1 (en) * | 2016-06-15 | 2017-12-21 | Akw Analytics Inc. | Petroleum analytics learning machine system with machine learning analytics applications for upstream and midstream oil and gas industry |
CN108023876A (en) * | 2017-11-20 | 2018-05-11 | 西安电子科技大学 | Intrusion detection method and intruding detection system based on sustainability integrated study |
CN108093406A (en) * | 2017-11-29 | 2018-05-29 | 重庆邮电大学 | A kind of wireless sense network intrusion detection method based on integrated study |
CN108234500A (en) * | 2018-01-08 | 2018-06-29 | 重庆邮电大学 | A kind of wireless sense network intrusion detection method based on deep learning |
-
2018
- 2018-09-29 CN CN201811144177.3A patent/CN109510811B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060004754A1 (en) * | 2004-06-30 | 2006-01-05 | International Business Machines Corporation | Methods and apparatus for dynamic classification of data in evolving data stream |
CN101060443A (en) * | 2006-04-17 | 2007-10-24 | 中国科学院自动化研究所 | An improved adaptive boosting algorithm based Internet intrusion detection method |
JP2009075737A (en) * | 2007-09-19 | 2009-04-09 | Nec Corp | Semi-supervised learning method, device, and program |
CN101471782A (en) * | 2007-12-26 | 2009-07-01 | 中国科学院自动化研究所 | Network inbreak detection method based on on-line hoisting algorithm |
CN101827002A (en) * | 2010-05-27 | 2010-09-08 | 文益民 | Concept drift detection method of data flow classification |
CN103716204A (en) * | 2013-12-20 | 2014-04-09 | 中国科学院信息工程研究所 | Abnormal intrusion detection ensemble learning method and apparatus based on Wiener process |
CN103678512A (en) * | 2013-12-26 | 2014-03-26 | 大连民族学院 | Data stream merge sorting method under dynamic data environment |
US20170364795A1 (en) * | 2016-06-15 | 2017-12-21 | Akw Analytics Inc. | Petroleum analytics learning machine system with machine learning analytics applications for upstream and midstream oil and gas industry |
CN108023876A (en) * | 2017-11-20 | 2018-05-11 | 西安电子科技大学 | Intrusion detection method and intruding detection system based on sustainability integrated study |
CN108093406A (en) * | 2017-11-29 | 2018-05-29 | 重庆邮电大学 | A kind of wireless sense network intrusion detection method based on integrated study |
CN108234500A (en) * | 2018-01-08 | 2018-06-29 | 重庆邮电大学 | A kind of wireless sense network intrusion detection method based on deep learning |
Non-Patent Citations (5)
Title |
---|
冯璐: "基于数据流特征选择及分类算法的入侵检测模型研究", 《中国优秀硕士学位论文全文数据库》 * |
姚远: "海量动态数据流分类方法研究", 《中国博士学位论文全文数据库》 * |
朱桂宏: "基于数据流的网络入侵检测研究", 《计算机技术与发展》 * |
王小川: "《MATLAB神经网络43个案例分析》", 31 August 2013, 北京航空航天大学出版社 * |
闻新: "《应用MATLAB实现神经网络》", 30 June 2015, 国防工业出版社 * |
Also Published As
Publication number | Publication date |
---|---|
CN109510811B (en) | 2022-08-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105512685B (en) | Object identification method and device | |
CN109389162B (en) | Sample image screening technique and device, electronic equipment and storage medium | |
CN110191085B (en) | Intrusion detection method and device based on multiple classifications and storage medium | |
CN110009090A (en) | Neural metwork training and image processing method and device | |
CN106709399A (en) | Fingerprint identification method and device | |
WO2017128767A1 (en) | Fingerprint template input method and device | |
CN105956518A (en) | Face identification method, device and system | |
CN105701997A (en) | Alarm method and device | |
CN111242188B (en) | Intrusion detection method, intrusion detection device and storage medium | |
CN103902689A (en) | Clustering method, incremental clustering method and related device | |
CN109359056A (en) | A kind of applied program testing method and device | |
WO2022227562A1 (en) | Identity recognition method and apparatus, and electronic device, storage medium and computer program product | |
CN109842612A (en) | Log security analysis method, device and storage medium based on picture library model | |
CN104503888A (en) | Warning method and device | |
CN110222706A (en) | Ensemble classifier method, apparatus and storage medium based on feature reduction | |
CN109117874A (en) | Operation behavior prediction technique and device | |
CN105354560A (en) | Fingerprint identification method and device | |
CN109214175A (en) | Method, apparatus and storage medium based on sample characteristics training classifier | |
CN105654094B (en) | Feature extracting method and device | |
CN109981624A (en) | Intrusion detection method, device and storage medium | |
CN109598120A (en) | Security postures intelligent analysis method, device and the storage medium of mobile terminal | |
CN104484683A (en) | Porn picture detection method and device | |
US20220270352A1 (en) | Methods, apparatuses, devices, storage media and program products for determining performance parameters | |
CN106331328A (en) | Information prompting method and device | |
CN104850592B (en) | The method and apparatus for generating model file |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |